Make systemd-analyze security happy

author: Thomas Gerbet 2020-05-10 22:41:21 +0200
committer: Thomas Gerbet 2020-05-10 22:41:21 +0200
commit: d563baebdcd92c7ccc1026765b0cb8b2673091e3 (patch)
tree: a69d27aeab9a1e35efc39e5adaf4011203153ef7
parent: b06c80be4cdff3654ef9ea2c042604318f1d047d (diff)
download: aur-d563baebdcd92c7ccc1026765b0cb8b2673091e3.tar.gz
3 files changed, 27 insertions, 5 deletions
diff --git a/.SRCINFO b/.SRCINFO
index 43cd354a1d76..d9854bceed2f 100644
--- a/.SRCINFO
+++ b/.SRCINFO
@@ -1,7 +1,7 @@
 pkgbase = yubikey-agent
 	pkgdesc = A seamless ssh-agent for YubiKeys
 	pkgver = 0.1.1
-	pkgrel = 1
+	pkgrel = 2
 	url = https://filippo.io/yubikey-agent
 	arch = x86_64
 	license = BSD
@@ -10,7 +10,7 @@ pkgbase = yubikey-agent
 	source = https://github.com/FiloSottile/yubikey-agent/archive/v0.1.1.tar.gz
 	source = yubikey-agent.service
 	sha256sums = ba105395ec8321512742f69ce9cf7fc2fe4e107cf667c2b48d13749efff23d5c
-	sha256sums = 29de8c4a3825f17919154fcc775a4c9da1e42569e8aee5b5e5b5150f25d2810f
+	sha256sums = f50e0876cb6d13d7cbbb325053f3c6702aabc16948e266cc7c92a0ffc9ace0b9
 
 pkgname = yubikey-agent
 
diff --git a/PKGBUILD b/PKGBUILD
index 9ad374ed28b8..ff772d7c6000 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -6,7 +6,7 @@
 
 pkgname=yubikey-agent
 pkgver=0.1.1
-pkgrel=1
+pkgrel=2
 pkgdesc='A seamless ssh-agent for YubiKeys'
 arch=('x86_64')
 url="https://filippo.io/yubikey-agent"
@@ -19,7 +19,7 @@ source=(
 )
 sha256sums=(
   'ba105395ec8321512742f69ce9cf7fc2fe4e107cf667c2b48d13749efff23d5c'
-  '29de8c4a3825f17919154fcc775a4c9da1e42569e8aee5b5e5b5150f25d2810f'
+  'f50e0876cb6d13d7cbbb325053f3c6702aabc16948e266cc7c92a0ffc9ace0b9'
 )
 
 build() {
diff --git a/yubikey-agent.service b/yubikey-agent.service
index be8b2a970977..95f6d8c1cdde 100644
--- a/yubikey-agent.service
+++ b/yubikey-agent.service
@@ -6,7 +6,29 @@ Documentation=https://filippo.io/yubikey-agent
 ExecStart=/usr/bin/yubikey-agent -l %t/yubikey-agent/yubikey-agent.sock
 ExecReload=/bin/kill -HUP $MAINPID
 ProtectSystem=strict
-NoNewPrivileges=true
+ProtectKernelLogs=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectControlGroups=yes
+ProtectClock=yes
+ProtectHostname=yes
+PrivateTmp=yes
+PrivateDevices=yes
+PrivateUsers=yes
+IPAddressDeny=any
+RestrictAddressFamilies=AF_UNIX
+RestrictNamespaces=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+LockPersonality=yes
+CapabilityBoundingSet=
+SystemCallFilter=@system-service
+SystemCallFilter=~@privileged @resources
+SystemCallErrorNumber=EPERM
+SystemCallArchitectures=native
+NoNewPrivileges=yes
+KeyringMode=private
+UMask=0177
 RuntimeDirectory=yubikey-agent
 
 [Install]
author	Thomas Gerbet	2020-05-10 22:41:21 +0200
committer	Thomas Gerbet	2020-05-10 22:41:21 +0200
commit	d563baebdcd92c7ccc1026765b0cb8b2673091e3 (patch)
tree	a69d27aeab9a1e35efc39e5adaf4011203153ef7
parent	b06c80be4cdff3654ef9ea2c042604318f1d047d (diff)
download	aur-d563baebdcd92c7ccc1026765b0cb8b2673091e3.tar.gz